search

h0rac / tplink

0 stars 0 forks source link

TP-Link TL-WR941ND V5 #1

Open lorrangarcia opened 5 years ago

lorrangarcia commented 5 years ago

Hi Grzegorz,

My name is Lorran, and I am a student at Unisinos University in Brazil. I'm doing a pentest for my final project, and I using the TP-Link TL-WR941ND with hardware version 5, a different version of your exploit was maded and this firmware > https://static.tp-link.com/resources/software/TL-WR940N_V2_131129_BR.zip

When I try execute it, I receive the error below:

image

I be able reproduce the vulnerability intercepting the request with BurpSuite and change the ping request with a lot of caracteres, but the only effect was a DOS on the web server of router administration. Is that the expected result?

As far I know, this type of vulnerability could leave to a attacker execute arbitrary code on the system, but it's not clear to me if your exploit execute a payload to do something like open a reverse connection on the router or just cause a DOS in the web server of router administration.

I wonder if could you explain to me:

  1. Why I not be able to execute your exploit in my router? I think that there is a minor diferences in the memory address or the web interface between the model tested by you and my router.
  2. This vulnerability just cause DOS on the web server of router or it's possibible to do something more useful of the attacker point view?

Thanks in advance for your attention.

h0rac commented 5 years ago

Hi Lorran

Yes it should open reverse shell. The error you got it’s related to not best implemented retrieve of folder name which is generated for each new session . Try few times and finally it should split URL correctly and retrieve folder name for exploit. For me it works on second shot :)

 directory = req.text.split('=')[2].split('/')[3]
    print '[+] Retrieved folder name: ', directory
    req.close() 
    referer ='http://192.168.0.1/{0}/userRpm/DiagnosticRpm.htm'.format(directory)

sometimes generated folder by TP-LINK firmware is not properly split, I will need to work to make it more reliable.

1) Why I not be able to execute your exploit in my router? I think that there is a minor diferences in the memory address or the web interface between the model tested by you and my router.

When I'm looking on your memory addresses of gadgets it's same so it should work, and it shouldn't be an issue

2) This vulnerability just cause DOS on the web server of router or it's possibible to do something more useful of the attacker point view?

It's not DoS, it give control of MIPS $s1/$s2 and $ra registers

Please also note that you do not yet get to the point where gadgets are executed and RA address overwritten. You stopped with error on retrieving folder name from URL which is required to send valid request.

Regards H0rac

lorrangarcia commented 5 years ago

Thanks!

I change the lines that you mencioned for :

referer ='http://192.168.0.1/userRpm/DiagnosticRpm.htm'

My firmware haven't this folder, but I still don't be able to get a reverse shell.

image

h0rac commented 5 years ago

you need to change assembly shell code to IP address you want to use for router connectivity or address it same as in example

Shellcode expects reverse IP to be

socket.inet_ntoa("\x3c\x0e\xc0\xA8") '60.14.192.168'